UPDATE: A Massachusetts restaurant chain was the first company fined under the state’s toughest in the nation data breach law and will have to pay $110,000 in penalties, according to a statement by the Massachusetts Attorney General. The Briar Group LLC entered into a settlement with Massachsuetts Attorney General Martha Coakley over allegations that the chain failed to protect patrons’ personal information. The case stemmed from an April, 2009 incident in which a malicious program installed on Briar’s computer systems allowed unknown hackers to access customers’ credit and debit card information. That malicious code wasn’t detected and removed until December, 2009, according to a statement from the Attorney General.

In the wake of the breach, the company – which owns and operates a number of bars and restaurants in the Boston area – didn’t take reasonable steps to secure its infrastructure. Briar Group failed to change employee login information for point of sale terminals and continued to accept credit and debit cards from customers even after it learned of the breach.

Briar Group will pay the Commonwealth $110,000 in civil penalties and prove compliance with the state’s data security regulations as well as the Payment Card Industry Data Security Standards (PCI DSS). Restaurants in the Briar Group will have to have a security password management system and PCI-compliant data security measures, the Attorney General said in a statement.

In a statement, The Briar Group said that the company believes the agreement with the Massachusetts Attorney General’s office “achieves our shared goal of ensuring that our customers can use their credit cards with confidence in the security of their data.” However, the company took issue with the AG’s depiction of events, which suggested the restaurant company was slow in responding to knowledge of the breach of its corporate network. The company claimed that it voluntarily reported the breach to the Attorney General’s office at the time, engaged a security firm to vet its network security and informed credit card companies about what customer records may have been leaked to hackers. “The Briar Group believes that it acted immediately and aggressively once it was informed of the possible breach,” the company said in its statement.

The case is the first in which a violation of the Commonwealth’s data privacy law, 201 CMR 17, was prosecuted. That law, which took effect on March 1, 2010, is one of the toughest in the nation. It addresses the misuse of personal data by both individuals and companies and third party providers that store, collect or use personal information, including name, social security, driver’s license number or financial information on Massachusetts residents – regardless of whether those organizations are based in or have offices in the state.

Among other things, 201 CMR 17.00 requires organizations that store personal information on Massachusetts’ residents to encrypt personal information at rest – in databases, servers, laptops, desktops, mobile devices. Data transmitted over wired or wireless networks also must be encrypted.

There was speculation prior to the announcement about when and how forcefully The Attorney General’s office would enforce 201 CMR 17.00, which encountered opposition from business groups for being too far reaching and costly to implement.

Reported incidents within the last year would seem to provide more fodder for settlements. Among them is a December, 2010 report of a breach at CitySights, a New York based sight seeing company that affected around 1,800 Massachusetts residents. However, the Attorney General’s Office has been tight lipped about which cases it will pursue and refuses to confirm or deny ongoing investigations, so it isn’t clear whether other settlements may be coming.

Categories: Compliance, Data Breaches, Government, SMB Security, Web Security

Comments (13)

  1. Anonymous

    If the dates are accurate in the article — how can you be fined when the incident occurred prior to the law going into effect? 

  2. Anonymous

    If the dates are accurate in the article — how can you be fined when the incident occurred prior to the law going into effect? 

  3. Anonymous

    “how can you be fined when the incident occurred prior to the law going into effect?”

    The article is very confusing as it says they were fined and then it says they entered into a settlement. Notice how they never said what the chain restaurant’s name is…called bad PR…quickest way to kill the business…

  4. Beyond

    In the big scheme of things this law doesn’t matter. Here’s why. Aliens built this planet using alien technology and advanced crypto algorithms. The RSA breach was done by the aliens, as their way of saying ‘don’t bite the hand that feeds you’. These local governments can establish all these breach notification laws but in the end, the aliens will come down and abolish all such laws, resulting in massive settlements among these companies against their local governments. This will apply to all platforms, UNIX, Windows, AS/400 and mainframe (most which came from alien technology leased through US government agencies in exchange for reallocation of radio spectrum frequencies that interfered with intrastellar vessels/commerce transport systems).

  5. Anonymous

    Just to be clear, where is the MA regulation does it require encryption for data at rest on servers?

    Was there an amended one?

    (3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

    (5) Encryption of all personal information stored on laptops or other portable devices;


    I appreciate the article but facts are important…

  6. Anonymous

    and what restaurants does Briar Group operate?  What if I wanted to know if my personal info had been potentially compromised?

    that list would be: the green briar, the harp, m.j. o’conners, ned devine’s, parris, city bar, boston event solution, solas, the lenox hotel, the anthem kitchen and bar, and city table.

  7. Anonymous

    I agree !!!!

    I hate it when they pull that kind of thing.  Similar to say a DUI LAW they passed in my state would say after 3 years if no other DUI or similar occured it would be dropped from your record.  However when they change a law such as the I mentioned if lets say you had a DUI in 1970, one in 1980, one 1990, one in 2000.  All of them should be off your record “RIGHT”   Nope if you got one in my state in 2010 your going to prison as a felon.  5th DUI.  Clearly this example does not sound good for the person in this issue however, I say once they change a law it should be from that point forward not pull up crap from the past that was suposed to have been off your record.

  8. John M.

    I can’t tell if you are serious or not, but this was one of the greatest comments I’ve ever seen.

  9. Anonymous

    Here is a link to the regulation as maintained by Mass EOCA.  http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

    As far as I can tell, you are correct that data at rest does not need to be encrypted.  I suppose there might be an argument that if the data is intended to be transmitted then it needs to be encrypted even if not actually in transit, but I think that’s a tortured reading and not what the regulation means.  I know of no amendments to the regs that would change that.


Comments are closed.